vulnerability bulletin 9483

TYPO3: SQL injection in Calendar Base

Synthesis of the vulnerability

An attacker can inject SQL queries in the Calendar Base extension of TYPO3.

Severity: 2/4. Creation date: 02/03/2010.

Description of the vulnerability

The Calendar Base (cal) extension of TYPO3 implements a calendar. The iCalendar format is a standard exchange format for schedulers. When Calendar Base imports iCalendar data, they are not checked, and they are directly used in a SQL query. An attacker can therefore invite the victim to import a malicious iCalendar file, in order to execute SQL queries on the TYPO3 service.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: TYPO3: SQL injection in Calendar Base. Keywords: Base Calendar SQL TYPO3 iCalendar injection. Identifiers: BID-38493, TYPO3-SA-2010-005, VIGILANCE-VUL-9483.

Information sources

Publications and announces Source example: TYPO3 Security Bulletin TYPO3-SA-2010-005: Blind SQL Injection vulnerability in extension "Calendar Base" (cal)

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Security vulnerability alerts